File name:

2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn

Full analysis: https://app.any.run/tasks/9f4c5fac-f353-4540-a023-22eef3136b02
Verdict: Malicious activity
Analysis date: May 15, 2025, 21:27:20
OS: Windows 10 Professional (build: 19044, 64 bit)
Tags:
jeefo
auto-reg
Indicators:
MIME: application/vnd.microsoft.portable-executable
File info: PE32 executable (GUI) Intel 80386, for MS Windows, 3 sections
MD5:

BECD7005ECE0895216CC7811244F8D8F

SHA1:

CB7DCA91C348AA1D7AC027429BB93E91D465D103

SHA256:

43DD8F556669280935B894ECACAC2BDD176238998D2649AA6636B6503977490D

SSDEEP:

49152:5cMtGnePWkiCk7uScXIZ3cpD5oKhxc9gle5n1qfO0bWWgrHkj3rA8/2lN/HFVBBD:5cMSeP1k7uScE2DCKPcCe51qfO0xwsU3

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.

  • MALICIOUS

    • JEEFO has been detected

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • explorer.exe (PID: 8088)
      • icsys.icn.exe (PID: 8068)
      • svchost.exe (PID: 8128)

    • Changes the autorun value in the registry

      • explorer.exe (PID: 8088)
      • svchost.exe (PID: 8128)

  • SUSPICIOUS

    • Executable content was dropped or overwritten

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)
      • icsys.icn.exe (PID: 8068)
      • explorer.exe (PID: 8088)
      • spoolsv.exe (PID: 8108)

    • Starts application with an unusual extension

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)

    • Disables SEHOP

      • BraveUpdate.exe (PID: 7508)

    • Starts itself from another location

      • BraveUpdate.exe (PID: 7508)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • explorer.exe (PID: 8088)
      • icsys.icn.exe (PID: 8068)
      • spoolsv.exe (PID: 8108)
      • svchost.exe (PID: 8128)

    • Creates/Modifies COM task schedule object

      • BraveUpdateComRegisterShell64.exe (PID: 7628)
      • BraveUpdate.exe (PID: 7596)
      • BraveUpdateComRegisterShell64.exe (PID: 7684)
      • BraveUpdateComRegisterShell64.exe (PID: 7656)

    • Reads security settings of Internet Explorer

      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7772)

    • Executes as Windows Service

      • BraveUpdate.exe (PID: 7816)

    • The process creates files with name similar to system file names

      • icsys.icn.exe (PID: 8068)
      • spoolsv.exe (PID: 8108)

    • There is functionality for taking screenshot (YARA)

      • BraveUpdate.exe (PID: 7772)
      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7816)

    • Creates or modifies Windows services

      • svchost.exe (PID: 8128)

  • INFO

    • Create files in a temporary directory

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • explorer.exe (PID: 8088)
      • icsys.icn.exe (PID: 8068)
      • spoolsv.exe (PID: 8108)
      • svchost.exe (PID: 8128)
      • spoolsv.exe (PID: 8148)

    • The sample compiled with english language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)
      • explorer.exe (PID: 8088)
      • icsys.icn.exe (PID: 8068)
      • spoolsv.exe (PID: 8108)

    • Checks supported languages

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe (PID: 7404)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7560)
      • BraveUpdate.exe (PID: 7596)
      • BraveUpdateComRegisterShell64.exe (PID: 7628)
      • BraveUpdateComRegisterShell64.exe (PID: 7656)
      • BraveUpdate.exe (PID: 7716)
      • BraveUpdateComRegisterShell64.exe (PID: 7684)
      • BraveUpdate.exe (PID: 7816)
      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7772)
      • explorer.exe (PID: 8088)
      • icsys.icn.exe (PID: 8068)
      • spoolsv.exe (PID: 8108)
      • svchost.exe (PID: 8128)
      • spoolsv.exe (PID: 8148)

    • The sample compiled with bulgarian language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with german language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with arabic language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with french language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with czech language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with Indonesian language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with japanese language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with polish language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with korean language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with Italian language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with portuguese language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with slovak language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with swedish language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • The sample compiled with turkish language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • Reads the computer name

      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7560)
      • BraveUpdate.exe (PID: 7596)
      • BraveUpdateComRegisterShell64.exe (PID: 7628)
      • BraveUpdateComRegisterShell64.exe (PID: 7684)
      • BraveUpdate.exe (PID: 7716)
      • BraveUpdateComRegisterShell64.exe (PID: 7656)
      • BraveUpdate.exe (PID: 7772)
      • BraveUpdate.exe (PID: 7816)
      • svchost.exe (PID: 8128)

    • The sample compiled with chinese language support

      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)
      • BraveUpdate.exe (PID: 7508)

    • Brave updater related mutex has been found

      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7560)
      • BraveUpdate.exe (PID: 7596)
      • BraveUpdate.exe (PID: 7716)
      • BraveUpdate.exe (PID: 7816)
      • BraveUpdate.exe (PID: 7772)

    • Creates files in the program directory

      • BraveUpdate.exe (PID: 7508)
      • BraveUpdate.exe (PID: 7816)

    • The sample compiled with russian language support

      • BraveUpdate.exe (PID: 7508)
      • 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  (PID: 7428)

    • Checks proxy server information

      • BraveUpdate.exe (PID: 7716)
      • BraveUpdate.exe (PID: 7772)
      • slui.exe (PID: 3020)

    • Process checks computer location settings

      • BraveUpdate.exe (PID: 7508)

    • Reads the software policy settings

      • BraveUpdate.exe (PID: 7772)
      • BraveUpdate.exe (PID: 7816)
      • BraveUpdate.exe (PID: 7716)
      • slui.exe (PID: 3020)

    • Reads the machine GUID from the registry

      • BraveUpdate.exe (PID: 7816)
      • BraveUpdate.exe (PID: 7772)
      • BraveUpdate.exe (PID: 7716)

    • Auto-launch of the file from Registry key

      • explorer.exe (PID: 8088)
      • svchost.exe (PID: 8128)

    • Manual execution by a user

      • explorer.exe (PID: 6972)
      • svchost.exe (PID: 6040)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.exe | Win32 Executable (generic) (52.9)
.exe | Generic Win/DOS Executable (23.5)
.exe | DOS Executable Generic (23.5)

EXIF

EXE

MachineType: Intel 386 or later, and compatibles
TimeStamp: 2013:04:01 07:08:22+00:00
ImageFileCharacteristics: No relocs, Executable, No line numbers, No symbols, 32-bit
PEType: PE32
LinkerVersion: 6
CodeSize: 106496
InitializedDataSize: 12288
UninitializedDataSize: -
EntryPoint: 0x290c
OSVersion: 4
ImageVersion: 1
SubsystemVersion: 4
Subsystem: Windows GUI
FileVersionNumber: 1.0.0.0
ProductVersionNumber: 1.0.0.0
FileFlagsMask: 0x0000
FileFlags: (none)
FileOS: Win32
ObjectFileType: Executable application
FileSubtype: -
LanguageCode: English (U.S.)
CharacterSet: Unicode
ProductName: Project1
FileVersion: 1
ProductVersion: 1
InternalName: TJprojMain
OriginalFileName: TJprojMain.exe
No data.
screenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
145
Monitored processes
20
Malicious processes
8
Suspicious processes
0

Behavior graph

Click at the process to see the details
start #JEEFO 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  braveupdate.exe braveupdate.exe no specs braveupdate.exe no specs braveupdatecomregistershell64.exe no specs braveupdatecomregistershell64.exe no specs braveupdatecomregistershell64.exe no specs braveupdate.exe braveupdate.exe braveupdate.exe #JEEFO icsys.icn.exe #JEEFO explorer.exe spoolsv.exe #JEEFO svchost.exe spoolsv.exe no specs svchost.exe no specs explorer.exe no specs slui.exe 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3020C:\WINDOWS\System32\slui.exe -EmbeddingC:\Windows\System32\slui.exe
svchost.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Activation Client
Exit code:
0
Version:
10.0.19041.1 (WinBuild.160101.0800)
Modules
Images
c:\windows\system32\slui.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
c:\windows\system32\user32.dll
6040c:\windows\resources\svchost.exe ROC:\Windows\Resources\svchost.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\svchost.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
6972c:\windows\resources\themes\explorer.exe ROC:\Windows\Resources\Themes\explorer.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\windows\resources\themes\explorer.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7320"C:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exeexplorer.exe
User:
admin
Integrity Level:
MEDIUM
Exit code:
3221226540
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
7404"C:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe" C:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe
explorer.exe
User:
admin
Integrity Level:
HIGH
Exit code:
0
Version:
1.00
Modules
Images
c:\users\admin\desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\msvbvm60.dll
7428c:\users\admin\desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe  C:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 
2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update Setup
Version:
1.3.361.151
Modules
Images
c:\users\admin\desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\shlwapi.dll
7508C:\WINDOWS\SystemTemp\GUMCFA7.tmp\BraveUpdate.exe /installsource taggedmi /install "appguid={AFE6A462-C574-4B8A-AF43-4CC60DF4563B}&appname=Brave-Release&needsadmin=prefers&ap=release&installdataindex=default&referral=none"C:\Windows\SystemTemp\GUMCFA7.tmp\BraveUpdate.exe
2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Version:
1.3.361.151
Modules
Images
c:\windows\systemtemp\gumcfa7.tmp\braveupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7560"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regsvcC:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exeBraveUpdate.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Exit code:
0
Version:
1.3.361.151
Modules
Images
c:\program files (x86)\bravesoftware\update\braveupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7596"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /regserverC:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exeBraveUpdate.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Exit code:
0
Version:
1.3.361.151
Modules
Images
c:\program files (x86)\bravesoftware\update\braveupdate.exe
c:\windows\system32\ntdll.dll
c:\windows\syswow64\ntdll.dll
c:\windows\system32\wow64.dll
c:\windows\system32\wow64win.dll
c:\windows\system32\wow64cpu.dll
c:\windows\syswow64\kernel32.dll
c:\windows\syswow64\kernelbase.dll
c:\windows\syswow64\apphelp.dll
c:\windows\syswow64\advapi32.dll
7628"C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exe" C:\Program Files (x86)\BraveSoftware\Update\1.3.361.151\BraveUpdateComRegisterShell64.exeBraveUpdate.exe
User:
admin
Company:
BraveSoftware Inc.
Integrity Level:
HIGH
Description:
BraveSoftware Update
Exit code:
0
Version:
1.3.361.151
Modules
Images
c:\program files (x86)\bravesoftware\update\1.3.361.151\braveupdatecomregistershell64.exe
c:\windows\system32\ntdll.dll
c:\windows\system32\kernel32.dll
c:\windows\system32\kernelbase.dll
c:\windows\system32\apphelp.dll
c:\windows\system32\advapi32.dll
c:\windows\system32\msvcrt.dll
c:\windows\system32\sechost.dll
c:\windows\system32\rpcrt4.dll
c:\windows\system32\bcrypt.dll
Total events
18 796
Read events
14 670
Write events
4 057
Delete events
69

Modification events

(PID) Process:(7404) 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exeKey:HKEY_CURRENT_USER\SOFTWARE\VB and VBA Program Settings\Explorer\Process
Operation:writeName:LO
Value:
1
(PID) Process:(7428) 2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe Key:HKEY_CURRENT_USER\SOFTWARE\BraveSoftware\Promo
Operation:writeName:StubInstallerPath
Value:
c:\users\admin\desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe 
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:path
Value:
C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:UninstallCmdLine
Value:
"C:\Program Files (x86)\BraveSoftware\Update\BraveUpdate.exe" /uninstall
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\Clients\{B131C935-9BE6-41DA-9599-1F776BEB8019}
Operation:writeName:pv
Value:
1.3.361.151
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\Clients\{B131C935-9BE6-41DA-9599-1F776BEB8019}
Operation:writeName:name
Value:
Brave Update
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update\ClientState\{B131C935-9BE6-41DA-9599-1F776BEB8019}
Operation:writeName:pv
Value:
1.3.361.151
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BraveUpdate.exe
Operation:writeName:DisableExceptionChainValidation
Value:
0
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:brave_task_name_c
Value:
BraveSoftwareUpdateTaskMachineCore{0079883D-4BFC-4457-9507-EE9FAF217DDC}
(PID) Process:(7508) BraveUpdate.exeKey:HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\BraveSoftware\Update
Operation:writeName:brave_task_name_ua
Value:
BraveSoftwareUpdateTaskMachineUA{C17AEF7B-B9EF-4463-B097-7BF0DF1DE0F4}
Executable files
149
Suspicious files
4
Text files
0
Unknown types
0

Dropped files

PID
Process
Filename
Type
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveCrashHandler.exeexecutable
MD5:E32AF913C1976855A2593B794283881A
SHA256:3DC996A4698ACFF5D6719472D0A68650B73F5FBB98B08C9FA80AEFAC4ED1823C
74042025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exeC:\Users\admin\Desktop\2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe executable
MD5:85F0E92D01D6D42F00FFD05E768C154C
SHA256:1B081D480DCA9945932B89B3F234F4416BB20F41943762BCC7B5FF058546AF47
74042025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exeC:\Windows\Resources\Themes\icsys.icn.exeexecutable
MD5:FCFCF07E3909E9FF3D1655A3768D8384
SHA256:E93F85F73FD88FBE673589BCDAA96197C3D0072FB7FC09A1FEABD6EC760774FA
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveUpdateCore.exeexecutable
MD5:727CADCA7E67757F5B59BF14A5E5E972
SHA256:6B0DB820DA7BBE869E467636A69A3CAE8308F78E87EEFBA57D20878FA91A43C2
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveUpdateComRegisterShellArm64.exeexecutable
MD5:0B4C043FE5198D65816F84E3545E6D4E
SHA256:F2354D0E4FF44678754F12ED92E909F581BC281D2BAC5B744D8D034891859AE5
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveUpdateComRegisterShell64.exeexecutable
MD5:603886C2DFAF72EE6A6BDD0A8E9117F6
SHA256:840DF16E062C3618E4C7058E4E784AFDDFC4B3E0492A8DE64FE91F18DE1346F4
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\BraveUpdateOnDemand.exeexecutable
MD5:DD9CA9B806C6DA413261F005BF5B6883
SHA256:6BCACD4DCFDB659F77FE4DB51DC0CF919C2AF18C17245FEEAF309C5B6921A7A4
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\psuser_64.dllexecutable
MD5:2FA22EEDC974D62E0DC1B2E4F442B523
SHA256:6F675E906E9D033403EEF8B261E16113A1E89EFDA20CB004887C777BB9E3105F
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\psuser.dllexecutable
MD5:572FC1A712D8C6EA71CBDC10604AD762
SHA256:179D8E75A48C1FCBA7BEA13E7029A64628D36DB8186E88875AD9F92BA8158BE2
74282025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn.exe C:\Windows\SystemTemp\GUMCFA7.tmp\psmachine_arm64.dllexecutable
MD5:70F6CD69B463BBD428E23D98A9F59AA6
SHA256:82DF37917C462ECBF5F8BFAA05BE432BB5EEB9F93E6CDC61A52C1839D0555A11
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
8
TCP/UDP connections
55
DNS requests
18
Threats
0

HTTP requests

PID
Process
Method
HTTP Code
IP
URL
CN
Type
Size
Reputation
5064
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicRooCerAut_2010-06-23.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.1.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.216.77.32:80
http://crl.microsoft.com/pki/crl/products/MicTimStaPCA_2010-07-01.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20ECC%20Product%20Root%20Certificate%20Authority%202018.crl
unknown
whitelisted
5064
SIHClient.exe
GET
200
23.35.229.160:80
http://www.microsoft.com/pkiops/crl/Microsoft%20Update%20Signing%20CA%202.2.crl
unknown
whitelisted
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
40.127.240.158:443
settings-win.data.microsoft.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
4
System
192.168.100.255:138
whitelisted
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted
6544
svchost.exe
20.190.159.131:443
login.live.com
MICROSOFT-CORP-MSN-AS-BLOCK
IE
whitelisted
7716
BraveUpdate.exe
3.171.214.82:443
updates.bravesoftware.com
US
shared
3812
svchost.exe
239.255.255.250:1900
whitelisted
7816
BraveUpdate.exe
3.171.214.82:443
updates.bravesoftware.com
US
shared
7772
BraveUpdate.exe
13.32.99.123:443
dl.brave.com
AMAZON-02
US
whitelisted
7900
svchost.exe
3.161.82.8:443
updates-cdn.bravesoftware.com
US
whitelisted
3216
svchost.exe
172.211.123.249:443
client.wns.windows.com
MICROSOFT-CORP-MSN-AS-BLOCK
FR
whitelisted

DNS requests

Domain
IP
Reputation
settings-win.data.microsoft.com
  • 40.127.240.158
whitelisted
google.com
  • 142.250.185.238
whitelisted
client.wns.windows.com
  • 172.211.123.249
whitelisted
login.live.com
  • 20.190.159.131
  • 40.126.31.0
  • 20.190.159.73
  • 20.190.159.71
  • 40.126.31.3
  • 40.126.31.69
  • 20.190.159.4
  • 20.190.159.0
whitelisted
updates.bravesoftware.com
  • 3.171.214.82
  • 3.171.214.3
  • 3.171.214.112
  • 3.171.214.65
shared
dl.brave.com
  • 13.32.99.123
  • 13.32.99.23
  • 13.32.99.78
  • 13.32.99.14
whitelisted
updates-cdn.bravesoftware.com
  • 3.161.82.8
  • 3.161.82.23
  • 3.161.82.36
  • 3.161.82.75
whitelisted
slscr.update.microsoft.com
  • 4.175.87.197
whitelisted
crl.microsoft.com
  • 23.216.77.32
  • 23.216.77.29
  • 23.216.77.31
  • 23.216.77.35
  • 23.216.77.21
  • 23.216.77.25
  • 23.216.77.33
  • 23.216.77.27
  • 23.216.77.30
whitelisted
www.microsoft.com
  • 23.35.229.160
whitelisted

Threats

No threats detected
No debug info
Interactive malware hunting service ANY.RUN
© 2017-2025 ANY.RUN ALL RIGHTS RESERVED
ANY.RUN
Reports
2025-05-15_becd7005ece0895216cc7811244f8d8f_amadey_black-basta_elex_hellokitty_hijackloader_luca-stealer_swisyn